๐Ÿ”จ

HardHat v2.0

The only tool you need to harden your Red Hat environment. 938 lines of pure Bash covering 100+ CIS, NIST, and STIG security checks across 11 modules.
CIS Benchmark NIST 800-53 DISA STIG SELinux 11 Modules HTML Reports
โญ View on GitHub ๐Ÿ“ฅ Download Script
root@rhel9 ~/HardHat
$ sudo ./hardhat.sh --audit

โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ•šโ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•
โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ• โ•šโ•โ•โ•šโ•โ• โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ• โ•šโ•โ•โ•šโ•โ• โ•šโ•โ• โ•šโ•โ•

[INFO] Detected RHEL version: 9
[INFO] Mode: AUDIT ONLY

โ”โ”โ” 1. FILESYSTEM CONFIGURATION (CIS 1.1) โ”โ”โ”
  [PASS] CIS 1.1.1 โ€” Filesystem 'cramfs' is not loaded
  [PASS] CIS 1.1.1 โ€” Filesystem 'squashfs' is not loaded
  [PASS] CIS 1.1.2 โ€” /tmp is a separate partition

โ”โ”โ” 4. MANDATORY ACCESS CONTROL (CIS 1.6) โ”โ”โ”
  [PASS] CIS 1.6.1.4 โ€” SELinux mode: Enforcing

โ”โ”โ” 6. SSH SERVER HARDENING (CIS 5.2) โ”โ”โ”
  [FAIL] CIS 5.2.x โ€” SSH PermitRootLogin = 'yes' (expected: no)
  [PASS] CIS 5.2.x โ€” SSH PermitEmptyPasswords = no
  [WARN] CIS 5.2.13 โ€” SSH Ciphers not explicitly configured

โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
  HardHat Hardening Summary
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
  PASS:  78    FAIL:  15    WARN:  8
  Score: 76% โ€” Needs improvement
938
Lines of Code
11
Modules
100+
Security Checks
3
Standards
Hardening Modules
1
Filesystem
CIS 1.1
Disable unused FS (cramfs, squashfs, udf, hfs), /tmp partitioning, mount options, sticky bit enforcement.
15+ checksauto-fix
2
Packages & Integrity
CIS 1.2-1.3
GPG keys, gpgcheck enforcement, pending updates, AIDE file integrity monitoring.
4 checksAIDE
3
Boot & Process
CIS 1.4-1.5
GRUB2 bootloader password, config permissions, core dump restriction, ASLR.
4 checksGRUB2
4
SELinux
CIS 1.6
SELinux installed, not disabled, targeted policy, Enforcing mode, unconfined services.
5 checksMAC
5
Network
CIS 3.1-3.5
20 sysctl params (IP forwarding, redirects, SYN cookies, martians), firewall, wireless, protocols.
25+ checkssysctlfirewall
6
SSH Server
CIS 5.2
17 sshd_config params, strong ciphers/MACs, root login, timeouts, X11, TCP forwarding.
20+ checkscrypto
7
User Accounts
CIS 5.3-5.6
Password policy, system accounts, UID 0 audit, empty passwords, umask, su restriction.
10+ checksPAM
8
Audit & Logging
CIS 4.1-4.2
auditd + 10 audit rules (time, hostname, identity, sudo, logins, SELinux), rsyslog, log perms.
8+ checksauditd
9
Services
CIS 2.1-2.2
Disable 21 unnecessary services (avahi, cups, telnet, rsh, NFS, SNMP). NTP validation.
22+ checkssystemd
10
File Permissions
CIS 6.1-6.2
Critical file permissions, world-writable files, unowned files, SUID/SGID binary audit.
12+ checksintegrity
11
Login Banners
CIS 1.7
Warning banners for /etc/motd, /etc/issue, /etc/issue.net. OS info leakage detection.
4+ checkscompliance
Quick Start
# Clone the repo
git clone https://github.com/SiteQ8/HardHat.git
cd HardHat

# Audit only (safe, no changes)
sudo ./hardhat.sh --audit

# Audit + auto-fix
sudo ./hardhat.sh --fix

# Specific modules
sudo ./hardhat.sh --module ssh,network,selinux

# Dry run (preview changes)
sudo ./hardhat.sh --dry-run
Standards Alignment
StandardCoverageDescription
CIS Benchmark RHEL 8/9Level 1 + Level 2Industry gold standard for OS hardening
NIST SP 800-53AC, AU, CM, IA, SCFederal security and privacy controls
DISA STIGCAT I, II, IIIDoD technical implementation guidance
NIST SP 800-171PartialProtecting CUI in non-federal systems
PCI DSS v4.0PartialPayment card data protection

๐Ÿ”จ HardHat v2.0 โ€” Your destination for a secured Red Hat environment

MIT License | GitHub | @SiteQ8 โ€” Ali AlEnezi ๐Ÿ‡ฐ๐Ÿ‡ผ

CIS Benchmark ยท NIST 800-53 ยท DISA STIG ยท 938 lines of pure Bash